Data Destruction

Why throwing your old electronics in the trashcould be hazardous to your company’s health

Story by Lee Reinsch

July 2018

You’ve been trying for the last three years to unearth that grubby Commodore 64 you bought in 1982 – ever since you heard one sold online for $23,000. Problem is, it’s buried under a mountain of old iMacs, towers, CRT monitors, 15-pound laptops from the Pleistocene era, and keyboards with keys the size of the original Chunky candy bar. You vow to clean up your act.

But don’t wheel the bin up to the door just yet.

Not only is Mount Silicon probably not going to fit in your wastebasket, it’s illegal in Wisconsin to dispose electronics parts in the trash. And if a fine from the state Department of Natural Resources isn’t enough inspiration to recycle your computer waste, how about a lawsuit from your friendly attorney across town?

Business privacy concerns

Those computers of yours may contain more than just hazardous waste – they may hold confidential information that could be hazardous if it gets into the wrong hands.

“Nowadays you don’t want your data getting out for any reason whatsoever, whether it’s an employee walking out with it, or a PC or a copier with a hard drive in it that’s being thrown out,” said Chad Hayes, Sadoff E-Recycling’s chief technology officer and director of its I.T. Asset Disposition program. It’s a business unit of Fond du Lac-based Sadoff Iron & Metal.

The Federal Trade Commission reported some 371,061 identity thefts in 2017. The ‘good’ news is that Wisconsin accounted for only 1 percent of those, and our state ranks 41st in identity-theft complaints nationwide. But in our wired world, identity theft knows no geographical boundaries – it doesn’t take fellow Wisconsinites to steal your identity. Someone around the globe could just as easily take your information and use it against you.

“If somebody gets hold of your personal information, from your driver’s license number to your Social Security number, they can set up a new identity for you, take out credit based on your credit history, and get you into a boatload of trouble,” said Eric Haas, owner of ARMS, a De Pere-based data destruction service. “Once they can’t utilize your credit anymore, they just discard it, and you’re technically potentially stuck with that boatload.”

Wiping the slate clean?

Erasing data alone isn’t sufficient, according to attorney John Schuster, owner of Caliber Law in Oshkosh. It can usually be recovered.

“We see this as part of litigation all the time, where if somebody thinks they wiped the hard drive, there’s always someone who can recover most of the information,” Schuster said.

Schuster said he frequently gets asked for advice on safe electronic waste disposal.

“The best answer I give them is that, one, they have a plan for handling old technology and two, they make sure the hard drives get destroyed – and by destroyed, I mean it has to go to a destruction service.”

Sadoff’s program separates the recyclable or reusable parts of the computer, such as plastic, and demolishes the parts that store information. The plastic shells with hard drives removed could be fitted with brand-new hard drives and sold as refurbished computers. Sadoff doesn’t reuse old hard drives; in fact, it doesn’t let them off of their property, according to Hayes.

“If you give us anything that has any data on it, it gets destroyed – we literally shred it,” in accordance with standards of the National Institute of Standards and Technology and the National Association for Information Destruction (NAID), Hayes said. “Wiping the hard drive isn’t 100 percent, and from an I.T. perspective, we don’t want to see that. So no hard drive leaves our facility.”

Hayes said Sadoff can help companies reposition computers within the company so they can be kept as long as possible.

“Architects use programs like CAD and upgrade every two or three years since technology changes so fast. Those old computers aren’t state-of-the-art, so they get new ones,” Hayes said. “We can help with developing strategies where you can place your assets within your company.”

Onsite destruction

NAID-certified ARMS has a mobile shred-truck that travels to clients so they can see the shredding process without leaving their premises.

“Everything we do is on site, so the truck has specialized equipment built on a chassis that makes the truck about three times more expensive,” said Haas.

After barcoding and inventorying each piece of equipment, ARMS feeds it into the truck via a chute. It’s conveyed inside and shredded down to particulates and recycled, he said.

“We then provide the client a certificate of destruction, which will be populated with all the barcode numbers from those drives, so there’s a tracking point and an audit basis that could go backward for the client,” Haas said.

Thinking outside the black box

Sensitive information can be left on less obvious items than computers. Phones, flash drives, PalmPilots, iPads – even photocopiers – can all retain information.

“It’s a place a lot of businesses don’t think about – they will get rid of photocopiers every year, and there’s probably more information on the photocopier than on a lot of the nodes they have sitting on their desks,” Haas said.

“You think about what goes through a photocopier in an office on any given day: a lot of personal health information, maybe Social Security numbers and the like,” he said.

“People need to be aware that you need to pull the drives from those photocopiers before they go out the door, and make sure they’re certifiably destroyed,” Haas said.

What’s the big deal if info gets out?

There are some obvious industries – financial services, healthcare, legal services – that everyone knows deal with private information, and we expect them to take extra measures to keep it safe.

But what if you’re a small hardware store, scrapbook store or yarn shop that isn’t covered under HIPAA or other information privacy laws?

We can hear you now: “We’re tiny. We don’t collect information, and we certainly don’t keep customers’ credit card numbers on file. Why should we care?”

So what about that less-exciting info?

“The question always becomes, ‘what if it’s just customer lists and mailing lists and whether that’s protected information,’” Schuster said. “I think with the way the law is evolving, there’s an argument that those distribution lists are confidential unless you have people signing things when they provide the information allowing you to sell or release it. I think that’s going to be the new source of lawsuits coming in the next few years.”

Same with people finding out their information is on your business’s computer long after you got rid of it.

“You’re going to see lawsuits if people find hard drives full of information, and those whose information was taken find out about it,” Schuster warned.

Another issue in the future could be cloud storage, and how to ensure those companies actually do make your information invisible to anyone else, according to Schuster.

“Before you use a cloud service, I would say go with one of the top cloud-service providers with established names – like Box.com, Dropbox, Citrix – with a reputation and a lot to lose,” Schuster said. “Be careful with smaller providers or free providers, like some of the local internet services providing free storage on the cloud. (Information) may not be made non-searchable by those service providers.”

The fox watching the hen house

One security factor is the department everyone forgets until something goes wrong: I.T.

They can get into anyone’s computer, practically have free rein over the building, they’re barely noticed, and they’re often in charge of electronics inventory.

That’s why they, too, should be reminded that information stays in the building, Schuster said.

“I always tell my clients to take two minutes for even minor computer guys when they come onsite … sometimes a verbal reminder can reinforce that somebody has signed a confidentiality agreement to keep it fresh in their heads,” Schuster said. “Especially if they’re not signing confidentiality agreements each time they are entering the building.”

Everyone who comes into contact with proprietary or sensitive information should be asked to sign such an agreement, Schuster said.

During upgrades, the I.T. department is often the one that collects the old computers and decommissions them. The I.T. department, as well as any contracted company involved in recycling or disposing, should be kept accountable when it comes to ensuring every computer collected is securely accounted for – and that none disappear along the way.

The same goes with the data-destruction company you use.

“I think a business owner just has to do their due diligence to make sure their data-destruction company explains their procedures and how they protect confidential information,” Schuster said. “I have clients who will actually send someone out to watch over the process – which is always a good policy – to make sure that information isn’t getting ‘lost’ on the way, stolen by employees, and that sort of thing. Which is why some data-destruction companies shred right in the parking lot, bring the shredder to you, so you can have someone out in the parking lot, watching.”

ARMS’s Haas advises going with only NAID-certified companies.

“If the provider is not NAID certified, then you’re not protecting yourself,” he said. “Because then you’re just trusting that they have a process that’s protecting you, versus having an outside organization who audits the process and the procedure.”

Lee Reinsch of Green Bay worked 18 years at daily newspapers before launching her freelance business, edgewise, in 2007.